What Is Public Service Broadcasting? Why Is It Now Under Attack And Is It Worth Defending?
Broadcasting your attack: Security testing DAB radio in...
Transcript of Broadcasting your attack: Security testing DAB radio in...
![Page 1: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/1.jpg)
Broadcasting your attack: Security testing DAB radio in cars
Andy Davis, Research Director
Image: computerworld.com.au
![Page 2: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/2.jpg)
Agenda
• Who am I and why am I interested in security testing DAB?
• Overview of DAB
• How do we broadcast DAB?
• DAB attack surface
• How did we create a DAB security testing tool?
• Demo
• Example vulnerabilities
• Implications of exploitable DAB protocol bugs
2
![Page 3: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/3.jpg)
3
Who am I?
• Research Director at NCC Group
• NCC Group is a global cyber security assurance specialist
• Personal interests include wired and wireless interface security, SDR and
developing security testing tools – previous examples:
• Umap, Frisbee – USB
• CECSTeR, EDIDfuzzer – HDMI/VGA
• RFTM - RF Testing Methodology
![Page 4: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/4.jpg)
4
Why am I interested in DAB?
• Majority of new vehicles are factory fitted with DAB radios
• Often head unit (that contains the DAB radio) has some form of connectivity
to the CAN bus, which is in turn connected to cyber-physical systems such
as braking
• Doesn’t appear to have received much attention from security research
community
• Software Defined Radios getting cheaper
![Page 5: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/5.jpg)
5
Overview of Digital Audio Broadcasting (DAB)
• Digital radio technology for broadcasting radio stations
• Originated as the European Eureka 147 project
• Norwegian Broadcasting Corporation (NRK) launched first
DAB channel in June 1995
• Upgraded version called DAB+ released in February 2007
• Benefits over FM are:
• Better signal reception quality
• Many more data services can be transmitted
• Electronic Programme Guide
Image: wikimedia.org
![Page 6: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/6.jpg)
6
Modulation & Transmission
• Why was DAB developed?
• Multipath interference
• What is one of the solutions?
• OFDM
• The maximum number of modulated carriers in the
DAB signal is 1536
• Actually COFDM “Coded” OFDM, as Forward Error
Correction used
• Modulation scheme is QPSK
Images: wikimedia.org, tenettech.com
![Page 7: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/7.jpg)
7
Modulation & Transmission
• Audio signals are digitised & multiplexed together with
other data to produce a “bit stream”
• Forward error protection then applied by adding
redundant bits to the bit stream
• During each consecutive symbol, bits are divided into
1536 pairs
• Each pair is differentially encoded with respect to its
counterpart for the previous symbol
• Each of the 1536 differentially encoded bit-pairs are then
used to define the phase of a QPSK carrier
• Which together form the spectrum of a 1536-carrier
signal
• This is the OFDM generation process, and it is repeated
symbol-by-symbol
Image: ak.picdn.net
![Page 8: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/8.jpg)
8
Multiplexing
• Main Service Channel (MSC) – bulk of the DAB signal
• Frames of 55296 bits - known as “Common Interleaved
Frames” (CIFs)
• Each CIF divided into time-slots in which logical frames of
data for individual services are transmitted
• Repetitive bursts for each service provide “sub-channels”
• Data for each CIF transmitted in 18 consecutive symbol-
blocks
• First symbol-block in each transmission frame is used for
synchronisation
• Remaining 3 symbol-blocks at the beginning of the
transmission frame are used to carry the Multiplex
Configuration Information (MCI), which includes the Fast
Information Channel (FIC)
• Ancillary channels – for synchronisation & housekeeping
Image: media.licdn.com
![Page 9: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/9.jpg)
9
The (ETI) Ensemble Transport Interface
• Standardised output stream from a DAB multiplexer
• 2Mbps synchronous data stream
• Network adaptation is defined for G.703 lines (E1)
• ETI is an ETSI standard: EN 300 799
• ETIsnoop tool available to decode some of the data:
• http://wiki.opendigitalradio.org/Etisnoop
Image: excellgroup.com
![Page 10: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/10.jpg)
10
Fast Information Channel (FIC)
• FIC required to make receiver respond rapidly to the user when it is first
switched on
• FIC is divided up into Fast Information Blocks (FIBs)
• Each FIB contains a number of Fast Information Groups (FIGs)
![Page 11: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/11.jpg)
11
Fast Information Groups (FIGs)
• Each FIG is used for a specific signalling purpose:
![Page 12: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/12.jpg)
12
FIG data field
• The FIG data field for each FIG type has the following structure:
• Each FIG type has a number of extensions, which provide specific Service
Information (SI) configuration functionality
![Page 13: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/13.jpg)
13
Service Information features - example FIGs
Service Information (SI) features are signalled using extensions of FIG types 0 & 1:
• FIG 0/6 - Service linking information
• FIG 0/13 - User application information
• FIG 0/18 - Announcement support
• FIG 0/21 - Frequency Information
• FIG 0/22 - Transmitter Identification Information (TII) database
• FIG 1/0 – Ensemble label
• FIG 1/5 - Data service label
![Page 14: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/14.jpg)
14
FIG 0/13 - User application information
• FIG 0/13 signals the type of data sent over DAB – interesting…
![Page 15: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/15.jpg)
15
Programme Associated Data (PAD)
• Each DAB audio frame contains bytes which may carry Programme
Associated Data
• PAD is information which is synchronous to the audio
• An example of PAD data is DLS (Dynamic Label Segment) which is often
used to display the name of the song playing
![Page 16: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/16.jpg)
16
Ok, enough of the DAB theory…
![Page 17: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/17.jpg)
17
Simple DAB transmitter
Multiplexer Audio
Data
Ensemble Transport
Interface (ETI)
Modulator
Software
Defined
Radio
Multimedia
Object Transfer
(MOT) encoder
![Page 18: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/18.jpg)
18
How do we broadcast DAB?
Here’s why we don’t need to understand the radio part of the
protocol…
• Open source DAB transmitter from
http://www.opendigitalradio.org/
• odr-dabmux – allows DAB ensembles to be created
• odr-dabmod – uses DAB modulation schemes for use with an SDR
• fdk-aac-dabplus - includes support for DAB MOT Slideshow &
DLS
• USRP B200 SDR
• Legal considerations
Images: www.ettus.com, opendigitalradio.org
![Page 19: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/19.jpg)
19
DAB attack surface
• The underlying DAB transport protocols & interfaces e.g:
• FIG data within the ETI (Ensemble Transport Interface)
• MOT (Multimedia Object Transfer)
• The HMI (Head unit rendering of DLS and DAB labels)
• The media formats that are processed by the receiver e.g:
• Audio
• Images
• Video
• Apps processing Java/IP/raw data
Image: pngimg.com
![Page 20: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/20.jpg)
20
How did we create a DAB security testing tool?
• The tool mot-encoder is bundled with fdk-aac-dabplus
• mot-encoder enables DLS & slideshow protocols to be added to
DAB Program Associated Data (PAD) within an Ensemble
• DLS (text) & slideshow (JPEG/PNG) can then be fuzzed via a FIFO being consumed by mot-encoder
• The mot-encoder tool was modified to enable an external process
(via a TCP socket) to man-in-the-middle the MOT protocol header &
data
• The multiplexer ODR-DabMux was modified to enable the FIG data to
be manipulated (again via a TCP socket)
![Page 21: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/21.jpg)
21
The DABble fuzzer
• Current DABble capabilities:
• Fuzz DLS via a FIFO
• Fuzz JPEG & PNG via a FIFO
• Fuzz MOT protocol via modified version of mot-encoder
• Fuzz the Ensemble data via modified version of ODR-
DabMux
• Planned capabilities:
• Fuzz the other protocols being sent over DAB
(Video/IP/Java etc.)
• Implement some of the other FIGs that are currently not supported by ODR-DabMux
![Page 22: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/22.jpg)
22
The DABble fuzzer
![Page 23: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/23.jpg)
23
The DABble fuzzer
Multiplexer Audio
DLS
FIFO
Ensemble
Transport
Interface (ETI) Modulator
Software
Defined
Radio
Multimedia
Object
Transfer
(MOT)
encoder SLS
FIFO
DABble
Fuzzer
TCP socket
TCP socket
![Page 24: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/24.jpg)
24 Image: thegapmedia.com
![Page 25: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/25.jpg)
25
Some example DAB vulnerabilities
![Page 26: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/26.jpg)
26
FIG 0/13 – MOT Slideshow (SLS)
• JPEGs & PNGs are rendered by the receiver in the vehicle head unit
• Vulnerability in the image parsing library results in code execution
![Page 27: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/27.jpg)
27
FIG 1/0 – Ensemble label and PAD data
• Ensemble name & DLS information is rendered by the HMI on the head
unit & any arbitrary text can be sent.
• Buffer overflows unlikely, as there is a fixed maximum size
• Format string bugs possible
• Ensemble information sometime stored in a local database – SQL
injection
• Head units increasingly connected to the Internet - XSS
![Page 28: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/28.jpg)
28
Databases of information
• FIG 0/6 - Service linking information
• Where DAB broadcasts have local services
• FIG 0/22 - Transmitter Identification Information (TII) database
• The TII database provides a cross-reference between transmitter
identifiers & geographic location of the transmitters
• Potential for buffer overflows where fixed size buffers are allocated to
store these databases that are downloaded over DAB by the receiver
![Page 29: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/29.jpg)
29
Implications for other vehicle systems
AEB ACC Lane-Keep
Assist Blind Spot Monitoring
Parking Sensor
Indication
Disable ADAS features
• System architecture is often insecure:
• Direct access to CAN bus, or via D-Bus
• D-Bus bound to all network interfaces
• D-Bus messages used to directly disable ADAS features
![Page 30: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/30.jpg)
30
Implications of DAB as a broadcast medium
Multiple vehicles can be attacked simultaneously
Scenario #1
• Attacker uses a high power transmitter to replicate a public DAB ensemble
and overpowers the public transmission
• Major disadvantage: Not stealthy – would likely be spotted quickly
Scenario #2
• Attacker uses a low power transmitter and creates a new DAB ensemble on
an unused local frequency
• Most DAB receivers constantly re-tune
• Attacker chooses station name to entice target audience
![Page 31: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/31.jpg)
31
Conclusions
• DAB is an obvious remote attack route into a vehicle
• A single attack could be broadcast to many targets
• There are many protocols that can be transmitted over DAB, which
could be attacked
• The core DAB protocols e.g. ETI & MOT can also be attacked
• How many DAB radio developers have assumed that the broadcast
data is trusted?
![Page 32: Broadcasting your attack: Security testing DAB radio in cars2015.ruxcon.org.au/.../Broadcasting-your-attack-Security-testing... · Agenda • Who am I and why am I interested in security](https://reader031.fdocuments.us/reader031/viewer/2022022011/5b097e147f8b9a93738df408/html5/thumbnails/32.jpg)
32
Further reading
• DAB specification:
http://www.etsi.org/deliver/etsi_en/300400_300499/300401/01.04.01_40
/en_300401v010401o.pdf
• MOT specification:
http://www.etsi.org/deliver/etsi_en/301200_301299/301234/02.01.01_40
/en_301234v020101o.pdf
• ETI specification:
http://www.etsi.org/deliver/etsi_i_ets/300700_300799/300799/01_30_97
33/ets_300799e01v.pdf